Vista 7 Zero-Day Followed by Internet Explorer 7 Zero-Day
- Dr. Roy Schestowitz
- 2009-11-23 02:53:11 UTC
- Modified: 2009-11-23 02:53:11 UTC
Summary: Vista 7 as exposed as the naked emperor; Internet Explorer received similar treatment as users are under attack and no remedy is available
OVER the past week and a half we wrote several posts about the illusion of security in
Vista 7. Among those posts:
- Vista 7 Exploit is Out (Zero-Day Vulnerability)
- If Microsoft Cannot be Sued Over Liability, Can it be Sued for Negligence?
- Microsoft Won't Secure Firefox/Chrome Users, Shows More Negligence
Reports about this subject
continued to come and
only an advisory (not a patch) came from Microsoft. Regarding another
serious crack that
led to security issues in vista 7,
reports suggest that it "comes as no surprise," proving yet again that Microsoft does not give a damn about security.
There is now
the following serious incident which leads to invaluable harm. No report seems to say which platform is to blame, but the University of East Anglia is not necessarily a docile Windows shop,
not based on its Web site anyway. It actually abandoned Solaris for GNU/Linux when Sun began roaming the streets looking for love. Does anyone know what mail systems are used at the University of East Anglia?
A 61MB ZIP file was posted on a Russian FTP server late last night, local time. It contains over a thousand emails, and around three thousand other items including source code and data files. Emails are peppered with disparaging remarks and a crude cartoon of sceptical scientists is also included in the archive - suggesting the hacker roamed wide across the University's servers.
More at
The Guardian.
A spokesperson for the University of East Anglia said: "We are aware that information from a server used for research information in one area of the university has been made available on public websites. Because of the volume of this information we cannot currently confirm that all this material is genuine. This information has been obtained and published without our permission and we took immediate action to remove the server in question from operation. We are undertaking a thorough internal investigation and have involved the police in this inquiry."
Regardless of what this "server in question" actually runs, Microsoft is taking
a weird approach to security, suggesting/recommending a different
architecture (not platform) as a cure for executables that exploit Windows by design, not just by compilation.
Meanwhile we find that users of Internet Explorer 7 (version 6 also)
are under attack due to a zero-day flaw. [hat tip: Tony Manco]
According to Symantec, which has quickly tested the exploit code that appeared on the Bugtraq list at insecure.org, the code as it stands is not 100% reliable but the security researchers expect that a “fully-functional reliable exploit will be available in the near future”. And that means exploit code that will enable websites to be infected, and any IE6 and 7 users with JavaScript enabled to be compromised.
More
information at IDG:
The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer.
No fix is available yet, except a download that's called Firefox or Fedora. But Microsoft does not want people to say the "F" word, so it will probably deliver a patch very soon.
To Free software's credit, it rarely waits for attacks to occur before addressing security vulnerabilities.
⬆
More on Vista 7 insecurity:
